Re: [Cfrg] Comparing ECC curves
Phillip Hallam-Baker <phill@hallambaker.com> Thu, 24 July 2014 13:25 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B25741A0331 for <cfrg@ietfa.amsl.com>; Thu, 24 Jul 2014 06:25:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9J1323Q0cMxe for <cfrg@ietfa.amsl.com>; Thu, 24 Jul 2014 06:25:57 -0700 (PDT)
Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 301341A032F for <Cfrg@irtf.org>; Thu, 24 Jul 2014 06:25:57 -0700 (PDT)
Received: by mail-wi0-f171.google.com with SMTP id hi2so9580243wib.16 for <Cfrg@irtf.org>; Thu, 24 Jul 2014 06:25:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=7oeKlRIcCiwP/i2fhJADOfy4a/bhjpv4AUO2pC9mE2w=; b=YlP6S7Q2V7zAXcB6qyjIInMzaLqljTNvpMbc+qRt5GK60/OsMfP8CXHfX5nvJsokyO li4XR32vsMMlL57B/Rjtm2Tdc+iP63zI/D54jN3X1Cn7Hw5ur0lzKKyYfpfmOA7DTzf+ 5dB5XC7siLLxFpz6d0b3eEsKY2S0ER2cNIeoIT02upsA5dSSUA+RcaljDxm8xEH6FFkz qhMYsAvi5/I72ER8awM2e710kF/aSCFbZjRqr7jApQ3FjCiyItgls8J8hG8KfLmUQka9 5RCOESbIZzh+K0ZC6PV+l5YMRczWaMvta760oYgsSGQqvC7R7Jq8m2Pq4nGYd+otzag7 hFWg==
MIME-Version: 1.0
X-Received: by 10.194.158.226 with SMTP id wx2mr12233508wjb.107.1406208353596; Thu, 24 Jul 2014 06:25:53 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.194.123.167 with HTTP; Thu, 24 Jul 2014 06:25:53 -0700 (PDT)
In-Reply-To: <CACsn0cmywvO1eNf96nyVtP8dYdqAPj9QYCLCdMNNbnkYN-05hQ@mail.gmail.com>
References: <CAMm+Lwj9EPJ9v92xrkM1ceAbkWYe22fpOOBObUbUJjkk8X0dng@mail.gmail.com> <CA+Vbu7xAcKjpeqWGqkVRQeENELdMYUpZF6BNb2ntne25_dyzKg@mail.gmail.com> <CAMm+LwgDZR1_onqJ2sAEx7=rgh7=9mGYuqS36nb0T-RAr6Vgnw@mail.gmail.com> <CACsn0c=o0HFdr_qn--H8ZStQan2asbt-M60kP_70p1DCT5f0_w@mail.gmail.com> <CAMm+LwjxnGw6hgoba_V+GY8WVKh-YGpPkw1AFfn_RvoX+2OzKQ@mail.gmail.com> <CACsn0cmywvO1eNf96nyVtP8dYdqAPj9QYCLCdMNNbnkYN-05hQ@mail.gmail.com>
Date: Thu, 24 Jul 2014 09:25:53 -0400
X-Google-Sender-Auth: _A2Z4MfJuEGECZnSm9aKhUFpNMc
Message-ID: <CAMm+Lwhp-N+gU5ThCu1CdjvWzbg-T8xw_-t4tHu4TsZ-WvuGMA@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/8n37XbiTEfMffmzekdLT2qvi5UI
Cc: "cfrg@irtf.org" <Cfrg@irtf.org>
Subject: Re: [Cfrg] Comparing ECC curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jul 2014 13:25:59 -0000
On Wed, Jul 23, 2014 at 11:50 PM, Watson Ladd <watsonbladd@gmail.com> wrote: > On Wed, Jul 23, 2014 at 7:56 PM, Phillip Hallam-Baker > <phill@hallambaker.com> wrote: >> The idea of this is that future protocols would not make MTI choices >> of algorithms, they would reference the consensus RFC and leave it at >> that. If we change our idea of what necessary crypto is, the consensus >> RFC would be made obsolete and replaced by a new one. > > While I agree with the overall sentiment (excess agility is harmful, > we need to mandate two ciphers to > have a backup, crypto should be centralized by someone who knows what > they are doing), treating > this decision as though your draft was already ready doesn't work. In > particular this decision has to > be made assuming the status quo with regards to algorithms. I don't think so. The Status Quo emerged from the days when each WG made the choice of algorithms independently. We have already decided to only make that decision in CFRG. The reason for pointing to the draft is that it makes the argument in greater detail, not to suggest it was a decision already made. We discussed the need for the draft in SECDIR and I was asked to write it. So far, yours is the first response... > There are good reasons to have both CCM and GCM for example. A > nonce-reuse resistant protocol would > be more expensive than either, but potentially useful in cases where > protocols that fail when nonces are reused > would not be. There we get into protocol design and the question is whether we should standardize on 'AES' for encryption or AES-CBC / AES-GCM, etc. I would really like to standardize on AES-GCM going forward for new protocols. But right now I can't use that in Windows .NET without writing my own AES code. Hmmm. For existing protocols written before encrypt and authenticate became fashionable, I would not want to go back and try to retrofit use of an E&A scheme. That would certainly not be something to do in the consensus draft. > In particular the Great Cleanup has yet to begin: having consensus > crypto now requires reworking everything > to use it. No, not at all. The idea of stating what the consensus is so that an implementation can state that it complies with RFC-6071 and RFC-XXXX and tell people that it will interoperate securely with implementations that comply with either. So if HMAC-SHA1 is specified as MTI in the base spec and HMAC-SHA-2-256 as MTI in RFC-XXXX, then an implementation claiming to be compliant with both would have to implement both. What this approach does not fully address is what to do if the base spec specifies MD5 and there is no RFC that has come out saying 'do not use MD5'. > We're going to have to change the order of encrypt then MAC in PGP > (which has no MAC), Kerberos(!), > SSH(!!), the record protocol in TLS (!!!) to get them all to be the > same. Order of operations is a protocol design choice, not an algorithm choice. Funny thing is that people keep telling me that it is absolutely vital that the order be one or the other 'because security' but which is better changes. Obviously the order is going to have an effect on security. But changing it has a bigger effect on code. If people wanted consistency at that level they would have to write drafts for each protocol to harmonize them all. I don't see the point in that unless it is part of the ongoing process of rewriting everything in JSON. >> I will also note that it looks like we now have a pretty strong >> primary and backup for hash functions and MACs and seem to be >> approaching consensus on public key (RSA plus ECC exact scheme to be >> decided). That leaves a gap for backup encryption algorithm. > > RSA is slow, requires big keys, and is usually used incorrectly in > IETF protocols: > OAEP should be be used instead of PKCS 1.5 encryption. Interesting TLS > has decided to use > DHE and ECDH, with no proposal to put RSA back on, except for > signatures (which sadly > are not PSS). Well the PKIX stack in the WebPKI is currently limited to RSA2048 in practice, so I don't know what that means. The RFC cited in the draft specifies OAEP and PKCS 1.5. It should be just OAEP. I was looking for the OAEP draft, didn't notice it also has the PKCS 1.5.
- [Cfrg] Comparing ECC curves Phillip Hallam-Baker
- Re: [Cfrg] Comparing ECC curves Benjamin Black
- Re: [Cfrg] Comparing ECC curves Michael Hamburg
- Re: [Cfrg] Comparing ECC curves Phillip Hallam-Baker
- Re: [Cfrg] Comparing ECC curves Watson Ladd
- Re: [Cfrg] Comparing ECC curves Phillip Hallam-Baker
- Re: [Cfrg] Comparing ECC curves Watson Ladd
- Re: [Cfrg] Comparing ECC curves Patrick Longa Pierola
- Re: [Cfrg] Comparing ECC curves Phillip Hallam-Baker
- Re: [Cfrg] Comparing ECC curves David Jacobson
- Re: [Cfrg] Comparing ECC curves Phillip Hallam-Baker
- Re: [Cfrg] Comparing ECC curves Patrick Longa Pierola
- Re: [Cfrg] Comparing ECC curves Mike Hamburg
- Re: [Cfrg] Comparing ECC curves Phillip Hallam-Baker
- Re: [Cfrg] Comparing ECC curves Mike Jones
- Re: [Cfrg] Comparing ECC curves Yoav Nir
- Re: [Cfrg] Comparing ECC curves Michael Hamburg